Revealed: the scope of DHS’s passenger data collection and the Telegraph’s alarmism

DHS's expansive and invasive demands for passenger data from the EU are bad, …

The UK's Telegraph starts the new year off in high style with an alarmist and sensationalist article on the Department of Homeland Security's post-9/11 efforts to collect data on passengers entering the US. The article, entitled "US 'licence to snoop' on British air travellers," features picture captions that proclaim, "Air passengers face having credit card transactions and email messages inspected by the American authorities." The article also includes this assertion:

By using a credit card to book a flight, passengers face having other transactions on the card inspected by the American authorities. Providing an email address to an airline could also lead to scrutiny of other messages sent or received on that account.

Anyone who has been reading Ars since 1998 knows that I've done my fair share of ranting about the American government's increasing hostility to privacy and civil liberties, and it's definitely the case that scope of the data that the TSA is demanding on foreign air travelers is extremely troubling. But an inspection of the actual sources for the Telegraph's story reveals that the claims quoted above about email and credit card transaction snooping are just hysterical sensationalism of the sort that damages the legitimate efforts of everyone who's concerned about the increasing invasiveness of US security policy. In short, the real story is indeed disturbing, but the Telegraph's more inflammatory claims are bollocks.

But before we talk bollocks, let's talk actual facts.

The scope of the TSA's passenger data demands

Earlier this month, the Department of Homeland Security released an important document, Undertakings Of The Department Of Homeland Security Bureau Of Customs And Border Protection (CBP) ("Undertakings" for short), in response to a Freedom of Information Act (FOIA) request. The Undertakings, from May of 2004, cover the types and uses of passenger data that the US began demanding of European airlines for persons entering the country in the wake of 9/11.

This passenger data comes in the form of a passenger name record (PNR) for each traveler. The PNRs of passengers are then fed into the TSA's Automated Targeting System (ATS), which examines the records and automatically assigns each passenger a threat score.

Before the publication of the Undertakings, the nature and scope of the data contained in each PNR wasn't known for sure. (A draft version was made public in 2004, and it's substantially the same as the official version.) It turns out that the amount of data provided to the US by European airlines is much more comprehensive than what the EU itself allows to be collected on passengers, and in May a European court put a stop to the data sharing arrangement. October then saw a temporary reinstatement of the agreement, under a compromise in which the EU allowed it to continue until June of 2007.

According to the official Undertakings, the PNR's demanded by the US contain the following data:

Attachment "A" PNR Data Elements Required by CBP from Air Carriers

PNR record locator code

Date of reservation

Date(s) of intended travel

Name

Other names on PNR

Address

All forms of payment information

Billing address

Contact telephone numbers

All travel itinerary for specific PNR

Frequent flyer information (limited to miles flown and address(es))

Travel agency

Travel agent

Code share PNR information

Travel status of passenger

Split/Divided PNR information

Email address

Ticketing field information

General remarks

Ticket number

Seat number

Date of ticket issuance

No show history

Bag tag numbers

Go show information

OSI information

SSI/SSR information

Received from information

All historical changes to the PNR

Number of travelers on PNR

Seat information

One-way tickets

Any collected APIS information

ATFQ fields

This is the same list that was available in draft form in 2004, and I've boldfaced the entries that appear to be the basis for the Telegraph's claims about US possibly snooping on the emails and credit card transactions of Britons. But more on that in a moment.

One conclusion that we can draw from the most recent TSA privacy office report [PDF] on the defunct Secure Flight passenger screening program is that all of this PNR data is by no means available for every passenger, either domestic or international. However, the TSA could theoretically fill gaps in the record by using commercial databases, and indeed this kind of gap filling is exactly what got the TSA's Secure Flight pilot program into trouble. (In a nutshell, the TSA publicly claimed that the Secure Flight program wouldn't have direct access to commercially available data on passengers, but many of the PNRs that were fed into the program had been supplemented by data from commercial databases.)

Whether the TSA gets email addresses, credit card numbers, and the like directly from passengers or from commercial database providers, my own knowledge of Secure Flight and of the working of other, related efforts at automated threat detection suggests that agency's possession of this information doesn't matter too much in the near- to medium-term.

Basically, the TSA doesn't really know how to automatically process all of this PNR data in a truly effective manner—that much is evident from the way that the basic specs and goals of the Secure Flight pilot program kept changing over the course of its existence. However, the entire national security apparatus, and certain elements of the Executive Branch all the way up to the Vice President's Office, are powerfully driven by the sense that if they can collect enough information on airline passengers (and on everyone else, for that matter), they'll eventually find a way to mine it for intelligence leads. The idea is to keep throwing money, manpower, and computer hardware at this massive torrent of data, with the expectation that at some point we'll hit upon a reliable, automated system for filtering from it a precious trickle of timely, actionable intelligence that can guide terrorist and criminal investigations.

This big-government, defense contractor-friendly "money + geeks in a secret lab = miracles" approach to homeland security is the very essence of the Cold War-era "Manhattan Project" mentality that I described in an article entitled Start-ups and state secrets: what Silicon Valley can do for homeland security. I won't repeat anything I've said previously about how ineffective this probably is compared to other, more traditional methods of targeted intelligence gathering, and I won't bore you with a disquisition on how corrosive this kind of wholesale automated surveillance is to core democratic values.

For now, it suffices to say that the US is currently demanding such a wealth of passenger information from the EU not because it has nefarious designs on the credit card records and email traffic of British citizens, but because it has a strong but ill-formed sense that "more data is better," and it believes that "if we throw more money and more computers at more data then we're bound to get real intel at some point."

Back to bollocks

To return to the topic of the Telegraph article, here are the PNR entries on which I think the Telegraph's claims are based:

All forms of payment information

Email address

General remarks

The first entry above is where the Telegraph gets the credit card claim. If you purchase a ticket on your credit card, then that number becomes part of the PNR. As I said above, the entire PNR is fed into the ATS for automatic scoring, which means that if that card number has been linked to some suspicious activity or to a criminal or terrorist investigation, then yes, you'll be flagged for further scrutiny. Or, if the system uses the other fields to score you so highly that your PNR comes to the attention of an actual human, then that agent may indeed start looking more closely at your credit card number.

Now, I'm not particularly enamored of any of this, but contrary to the impression given by the Telegraph article, the newly released document gives no indication that the feds plan to just start pulling people's credit card numbers out of their PNRs and snooping their purchase habits, willy-nilly. I suppose that such random, malicious snooping could theoretically happen, and that possibility in itself is a problem, but the mere fact that credit card information is one of 34 items that gets fed into an automated system for threat scoring doesn't particularly suggest that it will.

The situation is similar with the email address field. Again, this is just another piece of data that they're going to feed into the automated system to see if it matches up with any other email addresses on a hotlist. There simply is nothing in the newly released document that suggests that the point of gathering this information is so that your email can be broken into by some three-letter government entity.

(It's interesting to note that the PNR also includes your telephone number, but the article raises no suspicions of wiretapping. Nor does the Telegraph float the possibility that your travel agent will be interviewed about you, or that your billing address will be surveilled by agents. I suppose email snooping is scarier and sexier, because it involves the Internet.)

The "general remarks" field is interesting, because this is almost certainly where there Telegraph gets its claim that the feds want to know about passengers' "religious dietary requirements." What probably happened here is that the reporter was trying to ferret out the meaning of each of the fields in the PNR, so he asked someone in the know, "hey, what about this 'general remarks' field?" And then his source told him, "if you have any special needs, like a wheelchair at the gate, or you're blind and you'll be bringing a seeing eye dog, or you have religious dietary requirements, and so on, then we put it in that field." And voila! We now have the vague specter of anti-Muslim profiling based on airline meal choices.

At any rate, yes, if you have some religious dietary requirements then that information could be noted in your PNR, along with other noteworthy peculiarities about your ticket (e.g. disabilities, or the fact that you're an unaccompanied minor). Yet again, nothing in the Undertakings suggests that the TSA is on a crusade against people who order pork-free meals, or who request meals with absolutely no peanut products in them, or who want to eat kosher, etc.

Ultimately, I think that technologies of mass surveillance are a bad thing, and that this kind of indiscriminate data gathering is foolish, wasteful, and harmful both to democracy and national security. But I suppose that it's much harder to make a real case against DHS's unreasonable (and un-American) intrusions into passengers' privacy than it is to scare people with the vague specter of email snooping and anti-Muslim profiling. Shame on the Telegraph for such lazy "reporting."